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(54) Secure communication with mobile hosts 

(57) A method for secure data communication with 
a mobile machine (104) in which a data packet is re- 
ceived (501 ,601 ) from the mobile machine having a par- 
ticular network address. A pool of secure addresses is 
established and a data structure (308) is created to hold 
address translation associations. Each association is 
between a particular network address and a particular 
one of the secure addresses. If the received data packet 
is a secure data packet an association between the re- 
ceived data packet's network address and a secure ad- 
dress in the data structure is identified and the data 



packet's network address is translated (507,607) to the 
associated secure address before forwarding (509,609) 
the data packet on to higher network protocol layers. 
When the received data packet is not secure it is passed 
(503,603) on without address translation to the higher 
network protocol layers. For outgoing packets ad- 
dressed to a secure address, the secure address is 
translated to a real network address (e.g., IPv4 or IPv6 
addresses) and the packet payload is encrypted (608). 
Outgoing packets that are addressed directly to real net- 
work addresses pass (509) through in a conventional 
manner. 
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Description 

BACKGROUND OF THE INVENTION 

1. Field of the Invention. 5 

[0001] The present invention relates, in general, to se- 
cure communications, and, more particularly, to secure 
data communications with a mobile computer over an 
insecure network. io 

2. Relevant Background. 

[0002] A typical computing environment includes a 
secure network, such as a local area network (LAN) or 15 
wide area network (WAN) that can only be accessed by 
computers that are authorized by the network adminis- 
trator to have access. These networks are non-public 
and so security can be readily controlled with conven- 
tional password management techniques. Mobile users 20 
can access the network through, for example, dial-up 
connections through server or gateway that verifies the 
user's identity and access privileges. 
[0003] An important use of the Internet and other pub- 
lic data communication networks is the ability to ex- 25 
change data between mobile computers and an organ- 
ization's secure internal network. However, the public 
network is not secure. An internal secure network uses 
a gateway machine or "firewall" to couple the internal 
network to the external insecure network. A firewall is a 30 
hardware and/or software system designed to prevent 
unauthorized access to or from a private network. A fire- 
wall examines all packets entering and exiting the pri- 
vate network and blocks those that fail to meet specified 
security criteria. In an Internet environment, the gateway 35 
performs security operations on the IP layer by using, 
for example SunScreen™ SKIP, (SunScreen is a trade- 
mark of Sun Microsystems, Inc.). SKIP is a public key 
certificate-based key-management scheme which pro- 
vides key-management for Internet protocols. Data 40 
communications using a secure gateway in this manner 
are referred to as "secure IP". 

[0004] All external hosts must be able to communi- 
cate with the internal network using secure IP at any 
time, but must also be allowed to reach the internal net- ^5 
work while transmitting in the clear. This is useful if some 
services on the internal network must be accessible by 
the general public (e.g., web server or software down- 
load access) and by privileged users such as employees 
which may have additional rights on those services, e. so 
g., downloading proprietary information. Because of 
this, a gateway device cannot always provide authori- 
zation control simply by filtering out transmissions re- 
ceived in the clear. 

[0005] Prior secure IP systems provide authorization ss 
control using access control lists (ACL^) that list each 
IP network address (or other unique network identifier) 
that is authorized to access a particular resource on the 
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internal network. In general, a gateway can place a stat- 
ic IP address on its ACL and authorize communication 
from that address to access services on the internal se- 
cure network. While this system addresses some prob- 
lems related to access control, it does not authenticate 
that the received data packet truly originated from a par- 
ticular machine. 

[0006] A particular difficulty arises in that hosts cou- 
pled to the external network may be both regular "static" 
Internet nodes (i.e., having a permanently assigned IP 
address) or mobile nodes (i.e.. nodes having a dynam- 
ically assigned IP address). It is also possible for a host 
with a static address to be in secure mode at some time, 
and be in a clear mode at some other time (e.g.. the host 
running Windows (TM) and Unix at different times). 
Moreover, two mobile hosts with different security prop- 
erties may appear under the same dynamically as- 
signed IP address at different times. In these instances 
merely relying on authorization based on the incoming 
packet's IP address is insufficient. The gateway ma- 
chine must be able to authenticate or verify that data 
received from a remote system truly originated from that 
system. This situation must be correctly handled by the 
gateway to prevent, for example, hijacking of TCP con- 
nections. 

[0007] For example, when an outside machine using 
securelP disconnects from the Internet, thereby relin- 
quishing its IP address, it can be replaced by a second 
machine transmitting in the clear that has been assigned 
the first machine's IP address. From the secure net- 
work's perspective, the incoming TCP packets may 
have come from either a second machine using the first 
machine's IP address, or from the first machine that is 
now sending in the clear. The second machine will not 
be able to break the securelP security, but it may be able 
to send data in the clear that will reach the internal net- 
work. Desirably, the gateway must detect the difference 
between these two situations, and hinder the second 
machine's attempts to send packets on behalf of the old 
machine. At the same time, the gateway must not allow 
the fallback to clear text to be abused by an enemy to 
force all communication to go on in the clear, However, 
the incoming IP packets do not identify any machine- 
specific information that would enable the gateway to 
distinguish between the first machine and the second 
machine using the same IP address. 
[0008] Many proposed approaches to mobile user se- 
curity require the mobile user to specially configure the 
security software on the mobile machine. However, this 
makes the security software more difficult to install and 
use which is undesirable. To encourage widespread use 
of securelP on a variety of machines, it is desirable that 
the software devices install out of the box, without sig- 
nificant effort to specially configure the software. 
[0009] Prior solutions, including SKIP and similar IP 
security protocols, offer support for mobile hosts by ei- 
ther assigning them a permanent ID (called a master 
key ID or MKIO in SKIP) that is stored in the mobile ma- 
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chine and is transferred with every IP packet. Alterna- 
tively, a new security association may be established 
each time a new mobile IP address is acquired. Al- 
though these solutions prevent an intruder with a hi- 
jacked IP address from reading encrypted packets, they 5 
do not solve the problem of address hijacking so long 
as the gateway allows the mobile host to send data In 
the clear. In these cases, the intruder may set the MKID 
field to zero to force communication In the clear while 
the security association is maintained by the gateway. io 
[0010] Moreover, this approach does not allow ma- 
chines on the internal network to find out whether the 
incoming link is secure. The gateway holds the list of 
authorized addresses and performs the encryption/de- 
cryption functions. This information is not transmitted or 15 
shared with the internal network devices. Hence, the in- 
ternal network machines cannot tell from examining the 
header of a received packet whether the packet was 
from a securelP link or received in the clear. It would be 
useful for the intemal devices to be aware of this infer- 20 
mation so that they could take intelligent action in re- 
sponse to receiving a packet with unexpected security 
properties. 

[0011] Another approach uses "firewalls" which give 
the capability to do address translation for topology hid- 25 
ing. This hinders non-authorized user's efforts to find out 
about the structure and potentially vulnerable points of 
the internal network. Although this approach makes ad- 
dress hijacking less effective, it does not prevent its oc- 
currence. Another solution relies on control messages 30 
transmitted from mobile hosts to establish IP tunnels. 
These tunnels provide a mechanism needed to redirect 
data addressed to the mobile host to a dynamically as- 
signed IP address. Tunnels hinder address hijacking by 
encrypting packet header information as well as the 35 
packet paytoad, but are difficult to set up and require 
complex security management mechanisms. 
[0012] The Internet Engineering Task Force (IETF) 
working groups for mobile IP have focused on one po- 
tential solution for the support of mobile hosts in the cur- 40 
rent internet structure. For this, mobile hosts get as- 
signed a "home IP address", and a temporary routing 
address that is used to address traffic. In the gateway 
from the mobile network to the traditional Intemet, ad- 
dress translation and rerouting may be performed, such <5 
that the mobile node appears to be reachable on its 
home address at all times. This approach can result in 
a security risk if a request message was sent by a hosts 
that had hijacked the dynamic IP address without cryp- 
tographically verifying the authenticity of such messag- 50 
es. In order to avoid this risk, all request messages 
transmitted by a mobile host to the secure network must 
be authenticated using a message authentication code 
such as. for example, the keyed-MD5 algorithm. 
[001 3] A need exists for a security method and system ss 
that support mobile hosts in a public network that solves 
the security risks created by dynamic IP address assign- 
ment to prevent an extemal machine from impersonat- 



ing a secured machine, allow internal machines to de- 
tect whether the outside machine is coming in using a 
secured connection, and enable the system to be easily 
configured and used such that it can bootstrap with little 
or no user intervention. Desirably, the security method 
and system can be implemented without access control 
lists, timers, or other complex security management 
systems such that it is compatible with load balancing 
mechanisms. 

SUMMARY OF THE INVENTION 

[0014] Briefly stated, the present invention involves a 
method for secure data communication between an in- 
side network with a mobile machine in which a data 
packet is received from the mobile machine having a 
particular network address. A pool of secure addresses 
is established and a data structure is created to hold 
address translation associations. Each association is 
between a particular network address and a particular 
one of the secure addresses. If the received data packet 
is a secure data packet an association between the re- 
ceived data packet's network address and a secure ad- 
dress in the data structure is identified and the data 
packet's network address is translated to the associated 
secure address before forwarding the data packet on to 
higher network protocol layers. When the received data 
packet is not secure it is passed it on without address 
translation to the higher network protocol layers, 
[0015] When packets are received by the gateway 
from the inside network, and are addressed to a secure 
address, then the secure address is replaced by the cor- 
responding network address and the packet is encrypt- 
ed and authenticated. As used herein, the term "secur- 
ing a packet" means authentication and/or encryption - 
and not necessarily encryption only. In this manner, bi- 
directional secure communications are supported. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0016] 

FIG. 1 illustrates a computer equipment pro- 
grammed to implement the method and system in 
accordance with the present invention; 

FIG. 2 illustrates a network computer environment 
implementing the method and system in accord- 
ance with the present invention; 

FIG, 3 shows in block diagram fonm essential com- 
ponents of a gateway machine in accordance with 
the present invention; 

FIG. 4 shows an example address translation data 
structure in accordance with the present invention; 

FIG. 5 shows a flow diagram of steps for processing 
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inbound data in accordance with an implementation 
of the method and system of the present invention; 
and 

FIG. 6 shows a flow diagram of steps implemented s 
to process outbound data in accordance with the 

present invention. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

[0017] The present invention is described in terms of 
a method and apparatus implemented in conjunction 
with the SKIP secure Internet protocol system. Howev- 
er, it should be understood that the essential teachings 
of the present invention may be applied to other envi- 
ronments where network addresses are globally unique 
(i.e., only one user is able to use a given address at any 
given time) and where security is performed at the ISO/ 
OS! network layer. 

[0018] The present invention employs a combination 
of dynamically enabled address translation together 
with packet encryption and authentication to achieve a 
secure data connection between an "inside" secure net- 
work and a mobile host. Optionally, a dynamically filled 
access control list (ACL) is used in combination with the 
address translation. Both unsigned Diffte-Hellman 
(uDH) keys and X.509 certificates may be used to iden- 
tify mobile hosts. This prevents an insecure machine 
from hijacking the identity of a secure machine and al- 
lows machines on an internal secure network to detect 
whether an outside host is using a secure connection. 
[0019] A policy to accept uDH certificates without fur- 
ther analysis enables the system to be easily accessed 
by users in a secure manner, as the administrator does 
not have to authenticate the unsigned keys for them to 
be used. Although uDH certificates are not by them- 
selves associated with a particular machine, and there- 
fore are less secure than X.509 certificates, the present 
invention augments the uDH key with an assigned se- 
curelP address. The unsigned uDH certificates can be 
upgraded at a later time to X.509 certificates by a system 
administrator with or without user involvement. This 
makes the system easy to use without significant user 
involvement and readily upgradable to provide im- 
proved security using X.509 certificates, or the equiva- 
lent, 

[0020] FIG. 1 illustrates a computer system 100 con- 
figured to implement the method and apparatus in ac- 
cordance with the present invention. A gateway compu- 
ter 102 receives data communications in the form of da- 
ta packets from mobile host computer 104. Gateway 
computer 102 comprises a processing unit 106 for exe- 
cuting program instructions that is coupled through one 
or more system busses to a user interface 108, User 
interface 108 includes available devices to display infor- 
mation to a user (e.g., a CRT or LCD display and the 
like) as well as devices to accept information form the 



user (e.g., a keyboard, mouse, and the like). A memory 
unit 110 (e.g., RAM. ROM, PROM and the like) stores 
data and instructions for program execution. All or part 
of memory unit 110 may be integrated with processor 
106. 

[0021] Storage unit 112 comprises mass storage de- 
vices (e.g., hard disks, CDROM, network drives and the 
like). Network adapter 114 converts data from the sys- 
tem bus to and from a format suitable for transmission 
across public network 105. Network adapter 114 also 
supports communication with an internal secure net- 
work 1 07, A system may include more than one network 
adapter 114 to provide a desired level and type of net- 
work connectivity. Network adapter 114 is equivalently 
substituted by a modem or other analog, digital or mixed 
analog-digital adapter for a communications network. 
[0022] Mobile host 104 typically comprises a similar 
group of components including a processor 116, a user 
interface 118, and host memory 120. Mobile host stor- 
age 122, in a particular example, stores programs and 
data that are transmitted via modem 124 through public 
networi< 105 to gateway machine 102. In operation, mo- 
bile host 104 accesses secure network 107 through 
gateway machine 102. 

[0023] it should be understood that a typical environ- 
ment will support any number of other devices including 
workstations, servers, personal computers, and periph- 
eral devices coupled to intemal network 107. Each de- 
vice coupled to internal network 107 is identified by a 
locally unique network address. Any or all of such de- 
vices may be accessible via public network 105 using 
gateway machine 102. Also, a typical environment will 
include a plurality of mobile hosts similar to mobile host 
104 as well as static hosts that are coupled to public 
network 105 using permanent network addresses. Each 
device coupled to public network 105 is identified by a 
globally unique network address. Devices coupled to in- 
ternal network 107 can access devices coupled to public 
network 105 through gateway machine 102. 
[0024] FIG. 2 shows an exemplary communication 
environment such as an Internet environment wherein 
public network 105 is accessed via service provider (e. 
g., Internet service providers (ISP) or online service pro- 
vider) through machines 201 and 202. Service provider 
machines 201 and 202 are essentially programmed 
general purpose computers similar to that shown in FIG. 
1 that are optimized to provide a plurality of connections 
to mobile user machines 104 and 214 as well as static 
users such as secure network 1 07. Service provider ma- 
chines accept connection requests and authenticate us- 
er's access rights to public network 105. 
[0025] In a typical environment, some users have per- 
manently assigned (i.e., static) network addresses while 
others have network addresses that are dynamically as- 
signed by a service provider machine 201 or 202 from 
a pool of network addresses "owned" by the service pro- 
vider. In this manner, the service provider can reassign 
and reuse network address space and need only own 
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sufficient network address space to support the maxi- 
mum number of concurrent user s. Of particular interest 
in the understanding of the present invention is that mo- 
bile user 104 may be assigned a network address by 
service provider machine 201. After mobile user 104 5 
logs off, that same network address may be dynamically 
assigned to mobile user 214. 

[0026] Ordinarily mobile users 104 and 214 do not 
control the dynamic assignment of IP addresses and so 
cannot control which address will be received. However, io 
an intruder using, for example, mobile user machine 214 
can use several techniques including collusion with 
service provider machine 201 to increase the likelihood 
of receiving an IP address previously in use (or even 
currently in use) by mobile machine 104. As described is 
in greater detail hereinafter, if mobile machine 104 has 
established a security association with secure network 
107; the intruding mobile machine 214 can gain access 
privileges that it is not authorized to possess. The 
present invention operates to prevent such unauthor- 20 
ized access enabled by address hijacking. 
[0027] Secure network 107 accesses insecure net- 
work 105 through a gateway machine 102. Gateway 
machine 102 has a secure port coupled to secure net- 
work 107 (also called a secure subnet 107) and an in- 25 
secure port coupled to insecure network 105 through, 
for example, service provider machine 202. Each device 
coupled to secure network 107 such as server 203, 
workstation 205, workstation 206 and gateway machine 
1 02 has a unique network address used to route infor- 30 
mation within the secure network 107. Optional hub 207 
provides interconnection between machines coupled to 
secure network 107. Gateway machine 102 serves to 
pass data in the form of data packets having a header 
portion and a payload portion, between machines cou- 35 
pled to secure network 107 and machines coupled to 
public network 1 05. 

[0028] The data packets passing through gateway 
machine 102 may be secure, such as SKIP packets, or 
may be in the clear. For general applicability it is neces- 40 
sary that gateway machine 102 pass insecure packets 
without impediments while appropriately analyzing se- 
cure packets and performing the required encryption/ 
decryption function in analysis device 303. Data packets 
include header information that includes a destination 
address identifier indicating a unique network address, 
either on the secure subnet or the insecure subnet, that 
is intended to receive the data packet. Other fields may 
include key information used for encryption/decryption 
and authentication purposes. so 
[0029] Gateway machine 1 02 includes a packet anal- 
ysis device 301 , shown in FIG. 3. that monitors address- 
es of int>ound and outbound packets to machines out- 
side of secure network 107. The present invention op- 
erates by selectively routing packets based upon wheth- ss 
er the as-received packet header includes an address 
that is stored in an entry of address translation unit 302. 
Address translation unit 302 includes a data structure 
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308 holding address pairs associating a "securelP" ad- 
dress with a real network address (e.g., an IPv4 or IPv6 
address) as shown in Fig. 4. Optionally, each entry may 
include a timestamp or other state data or metadata use- 
ful for particular applications, As the term is used herein, 
a "securelP" address is an address that can be format- 
ted similarly to an IP address, but that is assigned by 
the gateway machine 1 02 dynamically once the gate- 
way machine has authorized a particular mobile host. 
Gateway machine 102 has a pool of securelP address- 
es (e.g. a reserved class c subnet or the 10,* net or an 
equivalent) from which it can assign the securelP ad- 
dress to a particular address pair, They are chosen and 
controlled by the network administrator operating gate- 
way machine 102. Anybody inside the gateway receiv- 
ing such an address can be assured that the link on the 
outside is not in the clear. Desirably, two separate ad- 
dress spaces are used for the securelP address, one for 
uDH certificates, one for X.509 type certificates. 
[0030] In general the present invention operates by 
assigning a securelP: network address pair in address 
translation unit 302 based upon the key material of the 
received packet when a security association is estab- 
lished. The key material is a value assigned to the entity 
holding the key such as the "master key" used in SKIP, 
as well as a uDH key or x.509 key discussed above. It 
is presumed for purposes of the present invention that 
each key is unique (i.e., no two mobile hosts use the 
same key at the same time). In SKIP, the master key is 
associated with a Master Key ID (MKID) that is trans- 
mitted in the SKIP header of a data packet. 
[0031] The address pair is maintained by updating the 
network address whenever a secure packet is received 
with the same key material as an existing address pair. 
That is to say, if Host A is sending secure packets from 
IP address "1.2.3.4", address translation unit 302 cre- 
ates an address pair having an assigned securelP ad- 
dress (e.g., "7.7.7.7") associated with the network IP ad- 
dress 1 .2.3.4. When Host A later connects through a dif- 
ferent IP address (e.g., 1 .2.3.5) using the same key ma- 
terial (e.g., an MKID associated with Host A), the ad- 
dress pair is updated from "7.7,7.7:1.2.3.4" to "7.7.7.7: 
1.2.3.5", In this manner, the address pairs maintained 
by address translation unit 302 always include the net- 
work IP address from which the last secure packet was 
received from Host A. The address pair is the only state 
information that needs to be kept, although other state 
information may be included for particular applications. 
[0032] When Host A stops sending secure packets 
the address pair entry may eventually be removed from 
the address translation device 302 indicating that a se- 
curity association with this IP address no longer exists. 
Host A can reestablish a security association at any time 
using the key material known to host A, however, an in- 
truder that does not know this key material cannot es- 
tablish a security association from the same IP address. 
[0033] It should be noted that while the address pair 
created by address translation unit 302 includes the net- 
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work address of the received packet, that information 
does not authorize access from any machine sending 
packets from that IP address. Unlike prior ACL-type se- 
curity techniques, the address pair in address transia- 
tion unit 302 serves to map packets addressed to the 
securelP address to the associated network address, 
but does not directly affect encryption/decryption. If an 
address pair exists in address translation device 302 it 
is known to have come from a machine that was sending 
secure packets and so encyrption and authentication 
must occur using encrypt/decrypt unit 303. In this man- 
ner, gateway machine 102 maintains a security associ- 
ation in which the network IP address follows the unique 
key material that is associated with a particular machine 
in contrast to prior implementations in which the network 
IP address was permanently or semi-permanently au- 
thorized once a security association was established. 
[0034] The securelP address is a unique address as- 
signed to a particular machine, or more accurately, to 
the key held by a particular machine. When the gateway 
machine receiving a data packet has an address parr for 
a particular key the sending machine is said to be 
"known" to the gateway machine. As described below, 
the address pairs in address translation unit 302 are dy- 
namically assigned and maintained. 
[0035] In operation, as a data packet is received the 
protocol field of the IP header (or the equivalent) for 
each incoming packet is examined to determine if the 
packet is secure. For example, SKIP packets are iden- 
tified by a "57" in the protocol field. Packets that are re- 
ceived in the clear are passed on transparently to higher 
protocol layers in a conventional manner. Similariy, out- 
bound packets that are received by gateway 102 in the 
clear are passed on transparently. In accordance with 
the present invention, data packets sent in the clear do 
not require address translation and so will not have an 
address pair entry unless secure packets were eariier 
received from the same IP address. 
[0036] When an incoming packet is identified as se- 
cure (e.g., by having an appropriate value in the protocol 
field of the packet's IP header), the key is extracted from 
each packet by analysis device 301 . The gateway ma- 
chine 102 next determines if the extracted key is known 
to the gateway machine. Analysis device 301 uses the 
key to find or determine the corresponding securelP ad- 
dress. If an address pair does not already exist the pub- 
lic key of the sending machine is retrieved from the 
sending machine itself, or from database 307. Database 
307 may be a local database or a remote central depos- 
itory using certificate discovery protocol (CDP). 
[0037] Optionally, an access control list 304 may be 
used in conjunction with the address translation mech- 
anism in accordance with the present invention to verify 
that the outside machine is an authorized user by check- 
ing whether the outside machine's address exists in ac- 
cess control list (ACL) 304. The use of an ACL, however, 
will carry with it some of the inherent limitations of ACL 
technology such as limiting load balancing perform- 



ance. 

[0038] Gateway machine 1 02 assigns a SecurelP ad- 
dress to each machine that sends secure data packets. 
All devices within secure network 107 use this locally 
5 unique address as the destination address for packets 
intended for delivery to a secure mobile machine 204 or 
214. For secure packets, address translation device 302 
(e.g., a lookup table, address cache, content addressa- 
ble memory or the like) translates the locally unique se- 
cure address to the appropriate real network address. 
Analysis device 301 also executes encryption/decryp- 
tion unit 303 to encrypt outgoing packets and decrypt 
incoming packets. The data packet is sent on with the 
translated address, 

[0039] Gateway machine 1 02 may maintain database 
307 for storing key certificates such as unsigned Diffie- 
Hellman keys (uDH) and X.509 key certificates. Data- 
base 307 maintains key information and historical secu- 
rity association information for outside machines (e.g., 
mobile machine 204 and 214). Database 307 also main- 
tains a secure locally unique address, such as a se- 
curelP address, associated with each key information 
entry. In this manner, database 307 enables a prior se- 
curity association to be reestablished whenever a se- 
cure data packet is received for which key information 
already exists in database 307. 
[0040] In prior implementations address translation 
for outgoing data packets was performed indefinitely on 
the assumption that the translation remained valid for 
so long as packets continue to be received from and/or 
sent to the specified globally unique address. However, 
this allowed the secure network to continue sending da- 
ta packets to a network address even after another ma- 
chine had taken over that address. In accordance with 
the present invention, address translation device 302 is 
not used for packets that are received in the clear, with- 
out regard to the IP address fi^om which the insecure 
packet was received. Hence, even though a packet is 
received from an IP address for which a security asso- 
ciation exits, it is not remapped to the securelP address 
when the packet is received in the clear. 
[0041] Devices on the inside network communicate 
with the secure mobile host using the securelP address 
stored in address translation unit 302. Address transla- 
tion unit 302 translates the securelP address to a real 
network address (e.g., IPv4 or IPv6 addresses). For all 
traffic addressed to a securelP address the packet's da- 
ta or payload of the packet Is encrypted. Packets that 
are addressed directly to real network addresses pass 
through in a conventional manner. 
[0042] In a preferred implementation gateway ma- 
chine 102 continues to enable address translation to a 
particular IP address for outgoing packets for a limited 
time after gateway 102 stops receiving secure packets 
from that IP address. Because any packets addressed 
to that securelP address will be encrypted using the le- 
gitimate host's key information, there is no difficulty in 
continuing to send out data to the IP address even if that 
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IP address has been hijacked as the intruder will not 
have the legitimate host's key information. If the legiti- 
mate host begins to send secure packets again, the tim- 
er 306 can be reset (if it has not expired) and address 
translation will continue. If the preselected time has al- 5 
ready expired, the security association must be reveri- 
fied and a new address translation entry set up. This 
enables a legitimate host to send both secure and clear 
packets with minimal overhead required to maintain the 
security association. 

[0043] Operation of the method and system in accord- 
ance with the present invention are conveniently under- 
stood in terms of processing incoming and outgoing da- 
ta packets. Essential steps are described in reference 
to the flow diagrams shown in FIG. 5. For any incoming 
data packets, gateway machine 1 02 will determine if the 
data packet is secure (e.g., a SKIP packet) or received 
in the clear. Packets that are received in the clear are 
passed on transparently to higher network levels for 
routing to specific devices within secure network 107. 
For packets that are received in the clear, address trans- 
lation is not performed. 

[0044] When the received data packet is secure (i.e.. 
the machine sending the packet is using SKIP) it will in- 
clude key information that enables gateway 102 to de- 
termine its public key values. This key information typi- 
cally is not the key itself as transmitting a key with each 
packet adds an unacceptable amount of overhead and 
leads to an undesirable amount of exposure for the key. 
Instead, the key information typically comprises an key 
identification such as the SKIP NSID/MKID information 
that is relatively compact. 

[0045] The process in accordance with the present in- 
vention determines if the key is known to the gateway 
machine. If the key was recently used it may be available 
in a cache, register, or local memory (not shown). If not, 
the public key corresponding to the sending machine's 
address is obtained from database 307 or via certificate 
discovery protocol (CDP). In a preferred implementa- 
tion, when both an uDH and a X.509 key are available, 
the x.509 key is preferentially used. As a part of obtain- 
ing a key, the system desirably verifies that there is no 
revocation or access denied or other invalidation for this 
key that is known to the gateway machine. 
[0046] Once a public key is obtained, the process con- 
tinues by obtaining or assigning a securelP address to 
the machine sending the data packet. When the public 
key information is an X.509 key certificate the address 
stored in the certificate is used as a securelP address 
assigned to the entity holding the key certificate. When 
the public key information is a uDH key certificate data- 
base 307 will include a record of a previously assigned 
securelP address corresponding to this certificate. If a 
securelP address has not been previously assigned, 
gateway machine 102 assigns and stores a securelP 
address in address translation device 302. Where each 
certificate entry in address translation device 302 in- 
cludes a timestamp, this is updated. At this point, the 



gateway machine 102 knows the key for the machine, 
and a securelP address. 

[0047] At least three ways to handle the address 
translation entries. These optional methods serve to 
maintain the address translation table and clear out old, 
unused entries. These methods include: 

1) If the total number of concurrent users is smaller 
than the available address space - then it is not nec- 
essary for address translation entries to time out. 
The gateway may hold address translation entries 
for all of the concurrent users, and just remember 
the latest used association of secureiP address 
(and key information) with the incoming network ad- 
dress. 

2) In a second case, the time when the last secure 
packet came in is remembered by, for example, 
storing a time stamp with each entry in address 
translation unit 302. As soon as a sufficiently long 
time (e.g., one hour) has passed without receiving 
any incoming secure packets from that network ad- 
dress, then the address translation entry for that 
host is removed or invalidated from the address 
translation table. In this case the address transla- 
tion mechanism includes devices for monitoring the 
timestamps on each entry and expiring, invalidating 
or removing old entries. 

3) In a third case, a timer 306 is started when a pack- 
et is received in the clear from an IP address for 
which an entry exists in address translation unit 
302. Timer 306 will cause address translation for 
this machine's address to expire after a preselected 
time has elapsed. When subsequent secure pack- 
ets come are received from the same machine ad- 
dress, timer 306 is reset so that address translation 
does not expire. In this manner, the present inven- 
tion operates something like a watchdog timer that 
halts address translation unless a secure packet is 
received within a time period defined by timer 306, 

[0048] Steps involved in outbound packet processing 
are shown in FIG. 6. For packets addressed to a se- 
curelP address in translation device 302, the securelP 
address is thereafter translated to the real, dynamically 
assigned network address held by the outside machine 
202 or 204. In the case of SKIP secure packets, address 
translation is set up from this NSID/MKID address on 
the outside to the securelP address on the inside. When- 
ever an network IP address is translated to a securelP 
address that has been previously used, the older entry 
is removed. 

[0049] For all incoming secured traffic, addresses are 
translated to the securelP address, decryption per- 
formed, and the data packets are sent on to internal net- 
work 107. All incoming data packets from the outside 
that claim to come from a securelP address are filtered 
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out and discarded. Because the securelP address pool 
is Icnown only to the internal network 107, no external 
device should be able to use that securelP address, in- 
cluding the machine to which it is assigned. 
[0050] For outgoing traffic, if the traffic goes to a nor- 
mal outside address {e.g., a non-securelP network ad- 
dress such as an IP address), it is passed on to the pub- 
lic network 105 unmodified, without any address trans- 
lation. When an outgoing data packet is addressed to a 
securelP address the address translation is perfomried 
as described above. In cases where there is no mapping 
in the address translation device 302, the packet is dis- 
carded. 

[0051] In a particular implementation, to further large 
availability, each mobile host is preconfigured with SKIP 
(or an equivalent security protocol), CDP running, and 
one strong DH key pair generated during system con- 
figuration. To begin using the SKIP gateway, these ma- 
chines just send SKIP packets. The gateway will fetch 
the uDH certificate from them, and actually start using 
it immediately (unless otherwise configured by the gate- 
way administrator). If more a persistent security associ- 
ation is desired, the gateway administrator signs the mo- 
bile host's public key, thereby binding the securelP ad- 
dress to the public key value in a strong manner. The 
mobile host user is not involved, unless the gateway ad- 
ministrator wants to confirm an identity, which can be 
added to the certificate. 

[0052] Machines on the outside (assuming they all 
have differing keying material) simply can not interfere 
with each other. If the dynamic IP address is relocated 
to another host using a secure connection, the change 
can be detected due to differing MKID's and thus ad- 
dress translation easily switched over by updating the 
address pair entry in address translation device 302 (e. 
g., new secure IP address and new keying material as- 
signed to this network address). If a change from non- 
SKIP to SKIP machine occurs, the connection can easily 
upgrade by creating an address translation entry where 
none existed for the non-SKIP machine. 
[0053] If an address from which SKIP packets have 
been received begins to talk in the clear, the incoming 
packets are passed on with their outside address. Out- 
going packets to this address will pass unhindered, and 
in the clear. If there are still SKIP packets on the way to 
the outside, they will be mapped to the same address, 
SKIPed and forwarded. This does not compromise se- 
curity because the non-SKIP machine will just throw 
those packets away. 

[0054] Because address translation and encryption/ 
decryption remain in control of the legitimate host, the 
legitimate fiost can immediately talk in cleartext to the 
intemal network while an intruder trying to throw an out- 
side host into cleartext mode will fail. The legitimate host 
will go on doing SKIP (or equivalent security operation), 
get address translation and the translation will not ex- 
pire. Even if address translation does expire it will simply 
be reestablished when the legitimate host begins send- 



ing secure packets later. 

[0055] In an optional embodiment. securelP address- 
es assigned to uDH key certificates can be expired 
some time after they were last used, allowing reuse of 

5 the pool. This expiration is in the order of days or weeks. 
This is a mater of convenience as it cleans up the data- 
base making it smaller by removing information about 
securelP addresses that are no longer in use. 
[0056] One potential attack invoh^es an intruder trying 

10 to cause a denial of service failure in gateway 102. In 
such an attack, an intruder could have assembled a 
large number uDH certificates that are sent to the gate- 
way 102. This would cause gateway 102 to assign se- 
curelP addresses from its pool to the uDH certificates 

15 and may exhaust the available pool of addresses. This 
attack does result in a partial denial of service to legiti- 
mate hosts attempting to establish a security relation- 
ship with the gateway using uDH certificates that are not 
yet assigned to securelP addresses. However, existing 

20 connections that have assigned securelP addresses 
stay up, and newcomers having X.509 certificates can 
also continue to connect. Only hosts relying on uDH 
where no address assignment has taken place yet 
would fail to connect. This type of attack is detectable. 

25 and non-fatal. 

[0057] Although the invention has been described 
and illustrated with a certain degree of particularity, it is 
understood that the present disclosure has been made 
only by way of example, and that numerous changes in 

30 the combination and arrangement of parts can be re- 
sorted to by those skilled in the art without departing 
from the scope of the invention, as hereinafter claimed. 



1 . A method for secure data communication with a mo- 
bile machine (104) comprising the steps of: 

establishing a pool of secure addresses; 
receiving (501 ,601 ) a data packet from the mo- 
bile machine, the data including a particular 
network address for the mobile machine; 
creating a data structure (308) holding address 
translation associations wherein each associa- 
tion is between a particular network address 
and a particular one of the secure addresses; 
determining (502,602) if the received data 
packet is a secure data packet: 
when the received data packet is a secure 
packet, identifying an association (504,506) be- 
tween the received data packet's network ad- 
dress and a secure address in the data struc- 
ture; and 

translating (507,607) the data packet's network 
address to the associated secure address be- 
fore fonwarding (509,609) the data packet on to 
higher network protocol layers. 
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2. The method of claim 1 , wherein when the received 10. 
data packet from the particular network address is 
not secure, passing (503) it on without address 
translation to higher network protocol layers. 



The method of claim 6, further comprising a step of 
verifying that the public key is not revoked and not 
invalidated. 



3. The method of claim 2, further comprising in re- 
sponse to receiving a data packet from the particu- 
lar network address that is not secures terminating 12. 
address translation for the particular network ad> 
dress after a preselected time interval measured by io 
a timer (306). 



11 . The method of claim 6, wherein when the public key 
is an X.509 key certificate 



The method of claim 1, further comprising: 

discarding all received data packets that con- 
tain a particular network address that is one of the 
pool of secure addresses. 



4. The method of claim 3, further comprising: 

receiving a subsequent data packet from the 
mobile machine (104), the subsequent data 
packet including the particular network ad- 
dress; 

determining if the subsequent data packet is a 
secure packet; and 

when the subsequent data packet is a secure 
packet, resetting the timer. 

5. The method of claim 1 , wherein the step of identi- 
fying an association between the received data 
packet's network address and a secure address in 
the data structure (308) further comprises: 

examining the data structure to determine if 
an association for the particular network address is 
already stored in the data structure. 

6. The method of claim 1 , wherein the step of identi- 
fying an association between the received data 
packet's network address and a secure address in 
the data structure further comprises: 

determining (504) a public key for the received 
data packet; 

determining whether the public key is already 
associated with one of the secure addresses 
and, if so, using (505,506) the already assigned 
secure address to create an association in the 
data structure (308). 

7. The method of claim 6, further comprising: 

when the public key is not associated with one 
of the secure addresses assigning one of the se- 
cure addresses from the pool of secure addresses 
to create an association in the data structure (308). 

8. The method of claim 6, wherein the step of deter- 
mining a public key comprises requesting the at 
least one key from a local database (307). 

9. The method of claim 6, wherein the step of deter- 
mining a public key comprises requesting the public 
key using certificate discover protocol (CDP). 



13. A system for secure data communications with a 
mobile machine (104) comprising: 

a gateway machine (102) having a secure port 
for coupling to a secure network (107) and an 
insecure port her coupling to an insecure net- 
work (105); 

a data structure (308) within the gateway ma- 
chine holding address translation associations 
wherein each association is between particular 
network address and a particular secure ad- 
dresses; 

an address translation device (302) within the 
gateway machine coupled to the data structure 
and operative to translate between a secure ad- 
dress and its associated network address and 
between a network address and its associated 
secure address; 

an analysis device (301) in the gateway ma- 
chine for analysing data packets received from 
the insecure network to determine whether the 
received data packet is secure and operative to 
enable the address translation device when the 
receive data packet is secure. 

14. The system of claim 13, further comprising means 
for measuring elapsed time (306) since a packet is 
received in the clear, wherein the analysis device 

(301) is coupled to the address translation device 

(302) to invalidate a selected address translation 
association in the data structure at a preselected 
time after a packet is received in the clear from the 
network address associated with the address trans- 
lation association. 

15. The system of claim 14, wherein the timer (306) is 
reset upon receiving a secure packet. 

16. The system of claim 13, wherein each address 
translation association in the data structure (308) 
corresponds to a network address from which no 
data packet has been sent in the clear since receiv- 
ing a secure data packet. 

17. The system of claim 13, wherein the address trans- 
lation associations in the data structure (308) are 
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dynamically updated in response to receiving a data 
packet from a network address that has an entry in 
the data structure but includes new key information. 

18. A computer program product for secure data com- 5 
munication with a mobile machine (104) operable 
on a networked computer system (100) having a 
gateway computer (102) comprising a processor 
(1 06) and data storage devices (112) coupled to the 
processor, the product comprising: io 

computer implemented code devices executing 
on the processor and configured to cause the 
computer (102) to define a pool of secure ad- 
dresses; *5 
computer implemented code devices executing 
on the processor and configured to cause the 
computer (102) to receive (501.601) a data 
packet from the mobile machine, the data in- 
cluding a particular network address for the mo- 20 
biie machine, 

computer implemented code devices executing 
on the processor and configured to cause the 
computer (1 02) to create a data structure (308) 
holding address translation, associations, 25 
wherein each association is between a partic- 
ular network address and a particular one of the 
secure addresses; 

computer Implemented code devices executing 
on the processor and configured to cause the 30 
computer ( 1 02) to determine (502,602) if the re- 
ceived data packet is a secure data packet; 
computer implemented code devices executing 
on the processor and configured to cause the 
computer (102) to identify an association 35 
(504,506) between the received data packet's 
network address and a secure address in the 
data structure when the received data packet 
is a secure packet; 

and computer implemented code devices exe- 40 
cuting on the processor and configured to 
cause the computer (102) to translate 
(507,607) the data packet's network address to 
the associated secure address before forward- 
ing (509,609) the data packet on to higher net- 
work protocol layers. 



on the processor and configured to cause the 
computer to respond to receiving a data packet 
from the particular network address that is not 
secure by starting a timer (306) measuring time 
elapsed since the insecure data packet was re- 
ceived; 

and computer implemented code devices exe- 
cuting on the processor and configured to 
cause the computer to terminate address trans- 
lation for the particular network address after a 
preselected time interval as measured by the 
timer. 

21. The product of claim 19, further comprising: 

computer implemented code devices executing 
on the processor and configured to cause the 
computer to receive a subsequent data packet 
from the mobile machine, the subsequent data 
packet including the particular network ad- 
dress; 

computer implemented code devices executing 
on the processor and configured to cause the 
computer to determine if the subsequent data 
packet a secure packet; and 
computer implemented code devices executing 
on the processor and configured to cause the 
computer to reset the timer (306) when the sub- 
sequent data packet is a secure packet. 

22. The product of claim 18, wherein the. computer im- 
plemented code devices that identify whether an 
association between the received data packet's net- 
work address and a secure address in the data 
structure further comprise: 

computer implemented code devices execut- 
ing on the processor and configured to cause the 
computer to examine the data structure to deter- 
mine if an association for the particular network ad- 
dress is already stored in the data structure (308). 

23. The product of claim 1 8, wherein the computer im- 
plemented code devices that identify an association 
between the received data packet's network ad- 
dress and a secure address in the data structure 
further comprise: 



19. The product of claim 18, further comprising; com- 
puter implemented code devices executing on the 
processor and configured to cause the computer to 
pass (503,603) the data packet on without address 
translation to higher network protocol layers when 
the received data packet from the particular network 
address is not secure. 

20. The product of claim 18, a further comprising: 

computer implemented code devices executing 



computer implemented code devices executing 
on the processor and configured to cause the 

50 computer to determine (504) a public key for 

the received data packet; 
computer implemented code devices executing 
on the processor and configured to cause the 
computer to determine whether the public key 

55 Is already associated with one of the secure ad- 

dresses and, if so, use (505,506) the already 
assigned secure address to create an associa- 
tion in the data structure (308). 
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24. The product of claim 18, further comprising: 

computer implemented code devices execut- 
ing on the processor and configured to cause the 
computer to assign one of the secure addresses 
from the pool of secure addresses to create an as- 5 
sociation in the data structure (308) when the public 
key is not associated with one of the secure ad- 
dresses. 

25. The product of cairn 1 8, wherein the computer im- fo 
plemented code devices that identify an association 
between the received data packet's network ad- 
dress and a secure address in the data structure 
further comprise: 

computer implemented code devices execut- ^5 
ing on the processor and Configured to cause the 
computer to verity that the public key is not revoked 
and not invalidated. 

26. A computer program embodied on a propagating 20 
signal for secure data communication with a mobile 
machine (104) operable on a networked computer 
system (100), comprising: 

a plurality of code segments comprising code 25 
portions configure to: 
establish a pool of secure addresses; 
receive (501,601) a data packet from a mobile 
machine, the data including a particular net- 
work address for the mobile machine; 30 
create a data structure (308) holding address 
translation associations wherein each associa- 
tion is between a particular network address 
and a particular one of the secure addresses; 
determine (502,602) if the received data packet 35 
is a secure data packet; 
identity an association (504,506) between the 
received data packet's network address and a 
secure address in the data structure when the 
received data packet is a secure packet; and 40 
translate (507,607) the data packet's network 
address to the associated secure address be- 
fore forwarding (509,609) the data packet on to 
higher network protocol layers. 

45 

27. A computer program providing for secure data com- 
munication on an insecure network such as the In- 
ternet between mobile computers and an organiza- 
tion's secure internal network, which when running 

on a computer is capable of performing the method 50 
steps of any one of claims 1 to 12. 
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